A.15.1.

1 Information Security Policy for Supplier Relationships

Suppliers are used for two main reasons; one: you want them to do work that you have chosen not
to do internally yourself, or; two: you can’t easily do the work as well or as cost effectively as the
suppliers.

There are many important things to consider in approach to supplier selection and management
but one size does not fit all and some suppliers will be more important than others. As such
your controls and policies should reflect that too and a segmentation of the supply chain is
sensible; we advocate four categories of supplier based on the value and risk in the
relationship. These range from those who are business critical through to other vendors who have
no material impact on your organisation.
Some suppliers are also more powerful than their customers (imagine telling Amazon what to do if
you are using their AWS services for hosting) so it’s pointless having controls and policies in place
that the suppliers will not adhere to. Therefore reliance on their standard policies, controls and
agreements is more likely – meaning the supplier selection and risk management becomes even
more important.
In order to take a more forward approach to information security in the supply chain with the more
strategic (high value / higher risk) suppliers, organisations should also avoid binary ‘comply or die’
risk transferring practises e.g. awful contracts preventing good collaboration. Instead we
recommend they develop more close working relationships with those suppliers where thigh value
information and assets are at risk, or they are adding to your information assets in some (positive)
way. This is likely to lead to improved working relationships, and therefore deliver better business
results too.
A good policy describes the supplier segmentation, selection, management, exit, how information
assets around suppliers are controlled in order to mitigate the associated risks, yet still enable the
business goals and objectives to be achieved. Smart organisations will wrap their information
security policy for suppliers into a broader relationship framework and avoid just concentrating on
security per se, looking to the other aspects as well.

An organisation may want suppliers to access and contribute to certain high value information
assets (e.g. software code development, accounting payroll information). They would therefore
need to have clear agreements of exactly what access they are allowing them, so they can control
the security around it. This is especially important with more and more information management,
processing and technology services being outsourced. That means having a place to show
management of the relationship is happening; contracts, contacts, incidents, relationship activity
and risk management etc. Where the supplier is also intimately involved in the organisation, but
may not have its own certified ISMS, then ensuring the supplier staff are educated and aware of
security, trained on your policies etc is also worth demonstrating compliance around.
A.15.1.2 Addressing Security Within Supplier Agreements

All relevant information security requirements must be in place with each supplier that has access
to or can impact the organisation’s information (or assets that process it). Again this should not be
a one size fits all – take a risk based approach around the different types of suppliers involved and
work they do. Working with suppliers that already meet the majority of your organisations
information security needs for the services they provide to you and have a good track record of
addressing information security concerns responsibly is a very good idea – as it will make all of
these processes much easier.

In simple terms, look for suppliers that already have achieved an independent ISO 27001
certification or equivalent themselves. It is also important to ensure that the suppliers are being
kept informed and engaged with any changes to the ISMS or specifically engaged around the parts
that affect their services. Your auditor will want to see this evidenced – so, by keeping a record of
this in your supplier on-boarding projects or annual reviews it will be easy to do so.

Things to include in the supply scope and agreements generally include: the work and its scope;
information at risk and classification; legal and regulatory requirements e.g. adherence to GDPR
and or other applicable legislation; reporting and reviews; non disclosure; IPR; incident
management; specific policies to comply with if important to the agreement; obligations on
subcontractors; screening on staff etc.

A good standard contract will deal with these points but as above, sometimes it might not be
required, and could be way over the top for the type of supply, or it might not be possible to force
a supplier to follow your idea of good practice. Be pragmatic and risk centred in the approach. This
control objective also ties in closely with Annex A.13.2.4 where confidentiality and non-disclosure
agreements are the main focus.

A.15.1.3 Information & Communication Technology Supply Chain

A good control builds on A.15.1.2 and is focused on the ICT suppliers who may need something in
addition or instead of the standard approach. ISO 27002 advocates numerous areas for
implementation and whilst these are all good, some pragmatism is needed as well. The
organisation should again recognise its size compared to some of the very large providers that it
will sometimes be working with (e.g. datacentres & hosting services, banks etc), therefore
potentially limiting its ability to influence practices further into the supply chain. The organisation
should consider carefully what risks there may be based upon the type of information and
communication technology services that are being provided. For example, if the supplier is a
provider of infrastructure critical services, and has access to sensitive information (e.g. source code
for the flagship software service) it should ensure there is greater protection than if the supplier is
simply exposed to publicly available information (e.g. a simple website).
A.15.2.1 Monitoring & Review of Supplier Services

A good control builds on A15.1 and describes how organisations regularly monitor, review and
audit their supplier service delivery. Conducting reviews and monitoring is best done based on the
information at risk – as a one size approach will not fit all. The organisation should aim to conduct
its reviews in line with the proposed segmentation of suppliers in order to therefore optimise their
resources and make sure that they focus effort on monitoring & reviewing where it will have the
most impact. As with A15.1, sometimes there is a need for pragmatism – you are not necessarily
going to get an audit, human relationship review and dedicated service improvements with AWS if
you are a very small organisation. You could however check (say) their annually published SOC II
reports and security certifications remain fit for your purpose.

Evidence of monitoring should be completed based on your power, risks and value, thus allowing
your auditor to be able to see that it has been completed, and that any necessary changes have
been managed through a formal change control process.

A.15.2.2 Managing Changes to Supplier Services

A good control describes how any changes to the provision of services by suppliers, including
maintaining and improving existing information security policies, procedures and controls, are
managed. It takes into account the criticality of business information, the nature of the change, the
supplier type/s affected, the systems and processes involved and a re-assessment of
risks. Changes to suppliers services should also take into account the intimacy of the relationship
and the organisation’s ability to influence or control change in the supplier.